Steve**2 (Kent and Dusse),
The recent exchanges are interesting and important.
I'd like to offer a couple of comments.
Steve Kent's note on the 27th indicated that it was the intent
of PEM to REQUIRE that the PCA ID be displayed for a user.
I did not realize that was included in the RFC, as I still haven't
found my copy since unpacking after the most recent move.
I hope that someone will check, but if this is so it removes at
least part of my motivation for wanting to see name subordination
carried all the way to the PCA level. I thought that Matthew McGillis's
proposal to include the name in a pcaName attribute, rather than
as an OU, would both clarify the PCA for all to see and simultaneously
eliminate an ugly "heuristic" (and as one that has proposed a few in
my day, I know an ugly hack when I see one:-), but this may not be
necessary.
I agree that the IPRA probably does no harm, although it may
provide what will turn out to be a misplaced feeling of confidence. I
doubt that it will do anything at all to detect duplicity, nor will it
provide any confidence that the street address in question even
exists, much less that the person in question actually lives there.
It may provide some assurance against clerical errors, I suppose,
but I would rather have the PCA/residential CA take a little
more responsibility for actually ensuring that the person
does live there.
I agree with Steve Kent's use of the Organizational Notary as a means
avoiding the creation of artificial CAs. I also agree with his implicit
suggestion that we not get carried away with the creation of lots
of OUs to mirror current internal organizational structures -- people
come and go fast enough as it is without having to issue CRLs
every time a company goes through an internal reorganization.
However, I would like to insist that whatever organization/OU is listed
at a given level (below the level of a state/locality and above any other
organizational unit or country/state/locality) be a more or less
permanent record-keeping office, not just a temporary field office
that may be dissolved on a moments notice.
On the other hand, I am disturbed by the current trend to have
PCAs establish CAs to act as unofficial surrogates for state and local
governments.
The issue here revolves around the use of "naming authorities",
which are postulated in X.500 (and in other CCITT documents) without
regard to whether they actually exist or are operational, or ever will be.
I assume that we are now all in agreement with the requirement to
include the street address as part of a residential user's DN, both
to provide a reasonable level of name qualification and uniqueness,
and also to answer the question as to where to send the sheriff if
the need ever arises. I will include this in the compendium of naming
examples (I hesitate to say requirements, because the lack of a clear
charter in this area) that I am collecting for the ABA document we
are trying to write. However, we still need to think about what to do
about rural areas that may be identified only by RFD numbers, or
perhaps by a farm or ranch name and a county. I don't know for
certain whether RFD numbers are ubiquitous within the rural US,
much less in Canada or elsewhere, and I don't believe that they
are necessarily unambiguous. (We used to live at RFD 92E, in
Boonton Twp, N.J. -- not exactly the Wyoming wilderness. But I suspect
that mail addressed to me at RFD 92 would have gotten there, and
probably just Boonton Twp.) I am also not certain that all
countries have a uniform set of street numbers -- as I recall Tokyo
doesn't, or at least didn't until fairly recently.
One assumption that is frequently made is that a user "discovers" his
DN, and that the PCA/CA merely endorses that user's discovery or
claim without making any independent attempt to validate that claim
(a potentially thorny legal question in any case, given the various state's
laws as to what constitutes a legal residence, domicile, etc.) In the
case of medium-assurance PCA, accepting the user's claim of a right to
use a mailing address, perhaps at least partially confirmed by sending a
certified letter containing his completed certificate, would be all that
anyone should reasonably expect, I should think. This would satisfy
the pragmatic issues of establishing an unambiguous name and
assuring that the individual canat least be contacted via that means,
if necessary by arresting him when he comes to pick up his mail.
(A Internet e-mail address would satisfy the first requirement, but not
the second.)
We could view this case as one of a de facto, PASSIVE naming
authority, consisting of the state and the locality operating jointly
to ensure that 1) there is no amibiguity in the naming of cities, towns,
and other geopolitical subdivisions within a given state (I hope), and
2) there is no ambiguity in the naming of streets and the assignment
of street numbers within a named locality.
In most cases, these assumptions will be correct. But there are a
few areas of potential confusion to be concerned about.
1. New Jersey uses a system of townships, which are used to
designate the area surrounding incorporated towns and cities. I
used to live in Boonton Twp, which surrounded Boonton like a
doughnut surrounds the hole. In most cases the division between
the town and the township made very little difference, but the
township operated their own school (K-8), plowed their own roads, etc.
To prevent confusion, the town and the township presumably tried
to avoid assigning the same name to two different streets, or
at least replicating street numbers, and the post office would
ignore the town/township boundaries and deliver the mail in any case.
I don't remember whether the town and the township shared a common
ZIP code. As I recall, all of the land within a country was supposed to
be in either a town or a township -- as a result the county government
was minimized and the township government had the responsibility
for the unincorporated areas that the country would have in other
states. In other states, the post office serves both the city or town and
the surrounding unincorporated area within the county, and no
distinction is made between the two. An individual's postal address
is that of the serving post office, whether or not he actually resides in
that town.
2. It is often the case that certain areas are used in common
parlance as a "locality," but the geopolitical unit no longer exists.
Perhaps a town or unincorporated area was annexed by another
town or city. A good example would be "Georgetown." Everyone
in Washington, DC knows where it is, at last approximately,
but to the best of my knowledge no such town or town
government still exists.
3. Residents of one area may tend to use a more prestigous
address in their mailing address. Potomac, MD is a high-prestige
address while Rockville is considered somewhat less so. As a
result, many people on the fringes may be served by the Potomac post
office when they really live in Rockville (or vice versa), and the post
office will deliver mail equally well in either case since the street names
are nonambiguous.
In the context of the NADF SD-5 naming schema (which has little if any
relevance outside of the US and Canada, and probably should not
be viewed as having been carved onto tablets of stone in any case),
this type of a naming authority does not "establish the right-to-use
for any name to be used, within the jurisdiction of the given naming
authority", because the naming authority is operating passively.
Presumably this is sufficient to provide uniqueness, which is
most of the issue, but establishing a "right" to use that particular
street name might require the examination of the land ownership
records and adjudication of any disputes, including the existance of
any recorded liens, rental agreements, family ties, etc.
My daughter currently lives in downtown Boston, but continues to
use our address on her checks (but not her bank statement), because
she expects that she may move within the year. Unless the mail lady
misses one, any mail addressed to her at our address is routinely
forwarded to her residence address. Now, does she have the "right" to
use our address as part of her DN? what if she were still in school?
If so, or if not, which agency of the state or local government is
responsible for acting as the naming authority and establishing or
denying that right? If it is not a state or local government agency, then
who IS the naming authority - the US (quasi-federal) Postal Service??
What about the case of a homeless person who takes out a PO
box at the post office or with Mail Boxes, Inc. Do they
have the "right" to use that address in their DN? It is probably a
hypothethical question, but I have received mail sent to me care of
American Express in Paris, in care of IBM in Germany, in care of
Postmaster when I first moved into a city, and in care of a hotel
for up to three months at a time. Did I have the "right" to use those
names in a DN, and if so for how long? Did those individual
organizations have the right or duty to act as subsidiary
naming authroties to ensure that I had that right, and was
uniquely identified?
Assuming that a right to use the name existed in the first place,
what are the duties and responsibilities of the PCA, the CA, and/or
the individual user to notify someone when the user moves? Clearly
I shouldn't have to request a CRL when I go on vacation, but
what if I were to go to Florida for six months of the year? What if I
move to a different residence permanently, but my mail is still being
forwarded. Am I obligated to inform my PCA/CA? Who will enforce
this requirement? Should PCAs include a contractual obligation on
all their residential users to provide notification in case of a move?
What representations are being made by the various PCAs regarding
the accuracy and timeliness of this information?
Finally, let's consider the issue of the name of the PCA or CA
for a residential user.
If the name of the PCA that is the root of the hierarchy is displayed
to the PEM user, then I don't have a problem if the PCA certifies the
residential user directly, e.g.,
C=US, S=CA, O="RSA Data Security, Inc.", OU="High Assurance PCA",
OU="Residential User"
C=US, S=MA, L=Beantown, streetAddress="1 Beacon Street"
CN="I. M. Sombody"
(Note that a different certificate could be created for the non-
residential users under the RSA Commercial Hierarchy without causing
damage to the existing single-root-key implementation within Apple's
AOCE, simply by using and publishing the same public key for both
certificates. This doesn't provide as strong a firewall in the event of
a compromise as might be desirable, but we can certainly live with it
for a year or two.)
But I do have a very real problem if a CA that is NOT a state or local
government, nor an authorized agent of one, starts to pretend as if
they were.
Therefore I would NOT like to see a chain of certificates such as
C=US, S=CA, O="RSA Data Security, Inc.", OU="High Assurance PCA",
OU="Residential User"
C=US, S=MA
C=US, S=MA, L=Beantown, streetAddress="1 Beacon Street"
CN="I. M. Sombody"
unless the Commonwealth of Massachusetts is actually responsible for
operating the CA (through a contractor, if necessary, but under the
authority of the Commonwealth).
Worse yet, C=US, S=MA, O="Massachusetts Residential CA"
unless "Massachusetts Residential CA" is a corporation, government
agency, or other entity formally registered as such with the Secretary
of State or the equivalent within the Commonwealth.
Although the state of Missisippi may not care if someone starts
selling "Mississippi Mud Pies," as a user I very much care if someone
starts impersonating a state or local government unless they have the
explicit right to do so.
Steve Kent says
"If BBN were in the residential PCA business, which we are not,
I would write a letter to the secretary of state for each state for
which we plan to establish a CA. The letter would indicate our intent
to establish the CA in accordance with the principles established for
residential CAs in RFC 1422, with which I'm sure they are all familiar
;-). It would emphasize that this CA that would NOT be used to
register anyone claiming an organizational affiliation with state or
municipal governments , but only individuals claiming residece within
the state, so that the state government would still be in a position
to act as CA for its employees, elected officials, etc."
I don't think this cuts it -- what is to prevent BBN from issuing
a certificate in the name of the Governor in this case, other than
internal policies?
I therefore recommend either of two choices: 1) Issue residential
certificates under the PCA root key, without name subordination
and without any particularly strong guarantees of uniqueness
and/or right-to-use, or
2) include the name of the organization issuing the certificate if
other than the government of the sate and/or locality in question,
and insist on name subordination to that CA in this case. The second
case will ensure both uniqueness and right-to-use, since the CA
will reject any name that duplicates another name. (But see footnote.)
The problem with this approach is that PEM presently assumes that
here will always be a CA under a PCA, and that therefore any
certificate signed by a PCA must be a CA. This would potentially
allow an individual user to certify another individual user, while
pretending or appearing to be a CA.
I am increasingly inclined to agree with Matthew McGillis' suggestion
to use an explicit attribute to denote a CA and a PCA, not just an OU,
and to prevent the use of that attribute in an individual user's
DN.
Footnote:
I asked this question several months ago, but got no answer
so I will ask it again. Over what span of time is a DN required
to be unique? It's pretty clear that in the X.500 sense, a name
has to be "distinguished" for only so long as it is actually posted
in the directory. If someone deletes the name, it is presumably
available for reissue. But what would we like to see in terms of an
X.509 certificate that may be used to validate a signature for many
years into the future?
This isn't so much an issue for residential users as for organizational
persons. If a company happens to have only one John Jones in its
employ at the present time, and John were to leave that company,
are they able to issue a certificate to a second John Jones the very
next day? Next month? Next year? 40 years from now? Never?
I tend to think that somewhere between 40 years and never is about
right, and therefore think that the use of monotonically increasing
serial numbers as part of the RDN is highly advisable for all
organizaional person certificates, regardless of whether the name
is "distinguished" in the immediate, temporary X.500 sense.
Bob